#!/bin/sh
# 防火墙策略控制

# 公网
WANIC=eth1
WANIP=123.124.199.194
# 内网
LANIC=eth0
LANIP=192.168.100.0/24

# IP地址黑名单
BLACKIPFILE=/etc/blackip
BLACKIPLIST=$(cat $BLACKIPFILE 2> /dev/null)
# Mac地址黑名单
BLACKMACFILE=/etc/blackmac
BLACKMACLIST=$(cat $BLACKMACFILE 2> /dev/null)

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i $WANIC -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WANIC -p tcp --dport 21 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WANIC -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WANIC -p udp --sport 53 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $WANIC -p tcp --sport 123 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $LANIC -s $LANIP -j ACCEPT

iptables -A INPUT -i $WANIC -s $LANIP -j DROP 
iptables -A INPUT -i $WANIC -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 
iptables -A INPUT -i $WANIC -p tcp --tcp-flags ALL ALL -j DROP 
iptables -A INPUT -i $WANIC -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 
iptables -A INPUT -i $WANIC -p tcp --tcp-flags ALL NONE -j DROP 
iptables -A INPUT -i $WANIC -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
iptables -A INPUT -i $WANIC -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 

for BLACKIP in $BLACKIPLIST
do
    iptables -A INPUT -i $WANIC -s $BLACKIP -j DROP 
done

for BLACKMAC in $BLACKMACLIST
do
    iptables -A INPUT -i $WANIC -m mac --mac-source $BLACKMAC -j DROP 
done

iptables -P INPUT DROP
iptables -P FORWARD DROP
